The elephant in the room

In every organisation there are two types of traffic – inspected traffic and non-inspected traffic. There’s a reason for that. Well, actually, it’s one of three reasons - performance, scalability or cost.

According to research published by NSS Labs, it found that organisations inspecting SSL code on average experienced 74 per cent performance loss with 512 and 1024 bits ciphers. This increases to 81 per cent loss with 2048 bits cipher – the current industry standard. And the proxy performance drop is even worse.

In light of this reality, many organisations are faced with a decision – either accept the hit to performance, spend money on more kit to inspect SSL traffic, or turn a blind eye to all HTTPS. While once the latter may have been a working solution, today it’s a foolhardy strategy.

SSL – a growing hill to climb

Today, the reality is that 25 per cent of all Internet traffic uses SSL encryption, and it is likely that this traffic is not being scanned for malware due to limitations of security systems in place or lack of bandwidth.

For those that like a visual reference - for every four people knocking on the organisation’s virtual front door, three are frisked while one is allowed to jump unchallenged through an open window. That statistic is frightening - one quarter of enterprise traffic has the potential to carry a malicious payload right into the heart of the organisation, with this figure predicted to increase by 20 per cent year on year.

And malicious coders are relying on this inaptitude.

In fact, according to Zscaler’s filters, 16 per cent of all malware traffic blocked is over SSL. And while you might like to think that it’s relatively harmless bits of code, it’s not - ZeroAccess, Bitcoin miner Trojans, Poison backdoor, BlackHole, Ransomware, Kazy Trojan. The one thing they all had in common was SSL.

Another element to cover before moving on is sandboxing - allowing the binary code to run and then check it behaves normally or if it triggers rules that identify it as potentially malicious. When examining the results in isolation, Zscaler’s April statistics determined that 46 per cent of resultant malware blocked was HTTP, 31 per cent HTTPS and an astonishing 23 per cent a mixture of both. Ultimately, a total of 54 per cent of malicious traffic used SSL to deliver APTs.

Blending is another trick

Of course, what’s knocking on the front door is only half the problem. Sometimes what might on the surface appear to be a benign program can actually unleash hell once it’s find a comfy network corner.

One such example, identified by Zscaler in a Fortune 500 organisation, was the case of Dr Watson. Initially, the program downloaded over HTTP, was identified as coming from a trusted source – in this case Dropbox, deemed to be benign and allowed entry. However, once safely inside, the Trojan began to download additional malicious files from DropBox using SSL to conceal its illicit activity.

Time to see beyond the facade

Organisations need to employ a three step process if they’re to successfully protect against APTs - protect, detect and remediate. There are numerous articles covering each of these steps so rather than reiterate those here, we’ll focus on taking action against SSL disguised threats.

Here’s our suggested five step plan of action:

Take your head out of the sand and accept that this is a real threat. Only then can you start to formulate a plan, and put it in place, to address SSL bearing malicious payloads. You can’t, and mustn’t, ignore it.

Put plans and budgets in place. Accept that it is going to require network infrastructure investment. It’s the only way you’ll be able to look inside SSL and identify malware, if you’re to avoid taking a hefty performance hit.

Respect employee privacy by engaging with them. Employee privacy is a hotly debated topic, if you allow your employees to complete personal activities using corporate infrastructure – and its archaic not to, then you have to expect privacy to a certain extent. But that doesn’t mean it comes at the expense of security. Engage with employees, explain why it’s important to inspect network traffic, and highlight the benefits of doing so – from both a company and personal perspective. Ultimately, if your systems are compromised, it leaves them vulnerable too.

Having opened the dialogue, there are some sites that can be trusted – for example online banking systems. That means you can create a whitelist of ‘trusted’ SSL traffic, which can pass through. The benefits are two-fold – you demonstrate respect for your employees personal communications, but you also reduce the amount of traffic being critiqued. This doesn’t have to be a cumbersome process as technologies exist that can allow you to automate.

Finally continue to monitor the hits that you get on SSL to ensure your whitelist remains trusted.

SSL simply encrypts traffic, it does not guarantee that it is clean. If the site on the other side is either malicious or been compromised then you are in trouble. Inspecting encrypted SSL is a challenge, but it’s not impossible. Are you going to secure your doors and windows?